480 likes | 1.13k Vues
Web server security. Dr Jim Briggs. What do we mean by secure?. 100% security Trading off security versus convenience Particular vulnerabilities of the Internet The "wild west". Open to the outside world Aim to attract strangers! Left unattended (largely) Lots of potential security holes
E N D
Web server security Dr Jim Briggs WEBP security
What do we mean by secure? • 100% security • Trading off security versus convenience • Particular vulnerabilities of the Internet • The "wild west" WEBP security
Open to the outside world Aim to attract strangers! Left unattended (largely) Lots of potential security holes Running other people's buggy software Running own buggy software (even worse!) Large amount of code (often) Visitors are largely anonymous and can be very remote Communication can be eavesdropped (unless encrypted) Difficult (impossible?) to test exhaustively Vulnerability of web systems WEBP security
Server risks • Bugs or misconfiguration problems in the Web server that allow unauthorized remote users to: • Steal confidential documents not intended for their eyes. • Execute commands on the server host machine, allowing them to modify the system. • Gain information about the Web server's host machine that will allow them to break into the system. • Launch denial-of-service attacks, rendering the machine temporarily unusable. WEBP security
Client risks • Browser-side risks, including: • Active content (e.g. Java, JavaScript, ActiveX) that • crashes the browser • damages the user's system • breaches the user's privacy, or • merely creates an annoyance • The misuse of personal information knowingly or unknowingly provided by the end-user • passwords • credit card numbers • other sensitive data WEBP security
Network risks • Interception of network data sent from browser to server or vice versa via network eavesdropping. • Eavesdroppers can operate from any point on the pathway between browser and server including: • The network on the browser's side of the connection • The network on the server's side of the connection (including intranets). • The end-user's Internet service provider (ISP) • The server's ISP • Either ISPs' regional access provider WEBP security
General security techniques • Keep your software up to date with security patches • Try not to use unsafe techniques (e.g. CGI, SSI) • If you have to use them, test them thoroughly • Include own use of hacker tools • Design and implement an access control policy (both via the web and to the host server) • Log everything; monitor the logs; and investigate suspicious activity WEBP security
Specific server side issues • Back door access to the server • Remote/local login • FTP • Alternative web sites hosted on same machine • Don't run the server as "root" • Turn off un-needed … • features in software • IP ports • Firewalls WEBP security
Denial of service (DoS) attacks • Definition: • attack designed to render a computer or network incapable of providing normal services • Typical attacks • Bandwidth attacks • flood network with high volume of traffic • consequence – all available network resources are consumed and legitimate user requests can not get through • Connectivity attacks • flood computer with high volume of connection requests • consequence – all available operating system resources are consumed, and computer can not process legitimate requests WEBP security
Distributed DoS (DDoS) attacks • Many hosts simultaneously attack target • Typically caused by agent hijacking vulnerable hosts (e.g. via virus) • As important to protect your machine from hijack as it is to protect it from attack • Techniques: • Scan regularly for DDoS tools • Do egress filtering (check for spoofed packets) WEBP security
HTTP security • Authentication • Basic • Digest • Secure transport • SSL WEBP security